Arkose Labs

Arkose Labs

Fraud prevention platform specializing in account protection and bot mitigation. Presents users with interactive enforcement challenges when suspicious activity is detected. The Arkose Labs script runs device and behavior analysis before surfacing challenges, targeting credential stuffing, fake account creation, and payment fraud.

Back to Vendor Library

Overview

Arkose Labs is a San Francisco-based fraud prevention and bot mitigation platform founded in 2017. It specialises in protecting high-value account actions — login, registration, checkout, and password reset flows — from automated attacks including credential stuffing, account takeover (ATO), fake account creation, payment fraud, and scraping. Arkose Labs is deployed by major enterprises across financial services, gaming, social media, and e-commerce, including companies such as Microsoft, Roblox, and PayPal. Its enforcement mechanism relies on adaptive interactive challenges (MatchKey, GameKey) that are computationally expensive for bots to solve but remain usable for legitimate users.

What This Script Does

The Arkose Labs enforcement script loads from client-api.arkoselabs.com and performs continuous, transparent device and behaviour analysis while the user interacts with a protected form or action flow.

Device intelligence collected:

  • Browser fingerprint: user agent, installed fonts, canvas fingerprint, WebGL renderer string, available plugins
  • Hardware signals: screen resolution, colour depth, device memory (if available), CPU core count
  • Network metadata: IP address, connection type indicators
  • Timezone and language settings
  • JavaScript execution environment characteristics (detecting headless browsers, automation frameworks like Selenium or Puppeteer)

Behavioural biometrics monitored:

  • Mouse movement paths and velocity during form interaction
  • Keystroke timing patterns (dwell time, flight time between keystrokes)
  • Touch event characteristics on mobile devices
  • Navigation speed and interaction cadence
  • Scroll and click patterns that differentiate human from automated input

Cookies and storage:

  • arkose_session — Session-scoped token associating the challenge response with the current form submission; transmitted to the Arkose Labs verification API to validate the challenge was completed legitimately; expires at session end.
  • No persistent cross-session tracking cookies are set for advertising or analytics purposes. Device signals are processed server-side for risk scoring without long-term client-side storage.

Script filenames and CDN: api.js loaded from client-api.arkoselabs.com. Challenge assets (game images, audio for accessibility) served from Arkose Labs' Cloudflare-backed CDN. Risk score verification calls go to verify-api.arkoselabs.com.

Consent & Compliance

Arkose Labs is classified under the essential category. Its sole function is security and fraud prevention — protecting the website operator and its legitimate users from automated attacks and account takeover. Under GDPR Recital 47, fraud prevention constitutes a legitimate interest of the data controller, and the ePrivacy Directive's strictly necessary exemption applies to security measures protecting the requested service. The device fingerprinting and behavioural analysis performed by Arkose Labs is bounded to security risk scoring and is not shared with advertising networks or used for user profiling beyond fraud prevention. Arkose Labs participates in the EU-US Data Privacy Framework for data transfer compliance.

Should You Block This Without Consent?

No. Arkose Labs is a security tool that protects against bot attacks, credential stuffing, and payment fraud. It operates as an essential script protecting form submissions and account actions, and does not require consent to load.

Visit website

Consent Categories

Essential

Also Known As

Arkose LabsArkoseCAPTCHA consentbot detection privacyfraud prevention scriptFunCaptcha

Industries

Computer SecurityComputers Electronics and Technology

Tracked Domains (1)

arkoselabs.comEssential

Frequently Asked Questions

Does Arkose Labs require user consent before loading?

No. Arkose Labs is classified as essential. It provides bot mitigation and fraud prevention for login and checkout flows. Under GDPR Recital 47, fraud prevention is a legitimate interest, and the ePrivacy strictly necessary exemption applies. No consent is required before loading.

What data does the Arkose Labs script collect?

The script collects browser fingerprint signals including canvas hash, WebGL renderer, plugins, screen resolution, and device memory. It also monitors behavioral biometrics — mouse velocity, keystroke timing, and click patterns — to distinguish human users from bots. A session cookie links challenge responses to form submissions.

How does ConsentStack handle Arkose Labs?

ConsentStack classifies Arkose Labs as essential and keeps it active regardless of visitor consent choices. It is never blocked by the consent banner, ensuring fraud protection on login and checkout forms remains uninterrupted for all visitors.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Arkose Labs

ConsentStack automatically detects and manages Arkose Labs trackers so your site stays compliant with global privacy regulations.

Get started free